Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 717156 (CVE-2020-5260) - <dev-vcs/git-{2.23.2,2.24.2,2.25.3}: crafted URL could leak credential information CVE-2020-5260
Summary: <dev-vcs/git-{2.23.2,2.24.2,2.25.3}: crafted URL could leak credential inform...
Status: RESOLVED FIXED
Alias: CVE-2020-5260
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A4 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-11 22:35 UTC by Thomas Deutschmann
Modified: 2020-04-23 15:18 UTC (History)
2 users (show)

See Also:
Package list:
dev-vcs/git-2.23.2 amd64 arm arm64 ppc ppc64 x86 hppa sparc s390 dev-vcs/git-2.24.2 amd64 arm arm64 ppc ppc64 x86 hppa sparc s390 dev-vcs/git-2.25.3 amd64 arm arm64 ppc ppc64 x86 hppa sparc s390
Runtime testing required: Yes
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2020-04-11 22:35:31 UTC
Incoming details.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-13 17:26:25 UTC
Whissi:
ACK on the mail; will have releases out shortly after the upstream tarballs are available.
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-14 18:16:32 UTC
Tarballs are now available and ebuilds are updated.

Arches, please build with FEATURES=test and stabilize.
Slow arches should prioritize 2.25.3 if build&test time is a concern.
Comment 3 Thomas Deutschmann gentoo-dev Security 2020-04-14 18:20:35 UTC
CVE-2020-5260:
With a crafted URL that contains a newline in it, the credential
helper machinery can be fooled to give credential information for a
wrong host.  The attack has been made impossible by forbidding a
newline character in any value passed via the credential protocol.
Comment 4 Agostino Sarubbo gentoo-dev 2020-04-15 08:27:13 UTC
sparc stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-04-15 09:33:28 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-04-15 09:33:59 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-04-15 09:34:39 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-04-15 12:13:49 UTC
s390 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-04-15 13:37:14 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-04-15 13:40:16 UTC
ppc64 stable
Comment 11 Sam James archtester gentoo-dev Security 2020-04-15 14:34:34 UTC
reluctantly stable on arm64 due to bug 524430
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-04-15 21:34:28 UTC
CVE-2020-5260 (https://nvd.nist.gov/vuln/detail/CVE-2020-5260):
  Affected versions of Git have a vulnerability whereby Git can be tricked
  into sending private credentials to a host controlled by an attacker. Git
  uses external "credential helper" programs to store and retrieve passwords
  or other credentials from secure storage provided by the operating system.
  Specially-crafted URLs that contain an encoded newline can inject unintended
  values into the credential helper protocol stream, causing the credential
  helper to retrieve the password for one server (e.g., good.example.com) for
  an HTTP request being made to another server (e.g., evil.example.com),
  resulting in credentials for the former being sent to the latter. There are
  no restrictions on the relationship between the two, meaning that an
  attacker can craft a URL that will present stored credentials for any host
  to a host of their choosing. The vulnerability can be triggered by feeding a
  malicious URL to git clone. However, the affected URLs look rather
  suspicious; the likely vector would be through systems which automatically
  clone URLs not visible to the user, such as Git submodules, or package
  systems built around Git. The problem has been patched in the versions
  published on April 14th, 2020, going back to v2.17.x. Anyone wishing to
  backport the change further can do so by applying commit 9a6bbee (the full
  release includes extra checks for git fsck, but that commit is sufficient to
  protect clients against the vulnerability). The patched versions are:
  2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3,
  2.26.1.
Comment 13 Rolf Eike Beer 2020-04-16 19:22:31 UTC
hppa stable
Comment 14 Sam James archtester gentoo-dev Security 2020-04-16 19:25:24 UTC
@maintainer(s), please cleanup
Comment 15 Thomas Deutschmann gentoo-dev Security 2020-04-23 14:48:20 UTC
Added to an existing GLSA request.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2020-04-23 15:18:29 UTC
This issue was resolved and addressed in
 GLSA 202004-13 at https://security.gentoo.org/glsa/202004-13
by GLSA coordinator Thomas Deutschmann (whissi).